That's a whole lot more secure.Īlso remember that this PMK is 256bit AES, this is currently "uncrackable" (128bit is considered safe for the moment, but not for long). Also (if the right EAP method is used) they don't get access to the users credentials, since they where individually encrypted. Should someone break a particular PMK, they only get access to one session of one client. Not only that, but this PMK will be 256bit real entropy (not a hash from a usually much smaller password containing words), so dictionary attacks are useless. Instead of each client using the same PMK all the time (the seed of which is known plaintext, because the SSID is used as seed!), now every client uses a different PMK, it changes every session/association and the seed is random and unknown. When the RADIUS server has authenticated the client, it gives the access point an OK, plus a RANDOM 256bit pairwise master key (PMK) to encrypt data traffic for the current session only.
WPA2-Enterprise is only a little bit different behind the scenes, but the security implications are severe: The client associates to the access point, authenticates to the access point, who passes this on to a backend RADIUS server (using EAP, but that's not important here, so more on that at the end). Should someone break the PMK, they could decrypt all data encrypted with that key, past/recorded and future/realtime. So it's easy to gather a lot of data encrypted with the same PMK. The important thing to note here is that all clients will always encrypt their data with the same PMK, all the time. This PMK is then used to encrypt data traffic using CCMP/AES or TKIP. WPA2-PSK (aka WPA2 Personal) basically does the same thing as WPA2-Enterprise from the clients perspective: The client associates to the access point, authenticates to the access point using the pre-shared key and access point creates a 256bit PMK (pairwise master key) from the SSID and the pre-shared key (PSK). All earlier answers are missing a very important step and its implication and are misunderstanding EAP.
0 kommentar(er)
